AMENDMENTS TO THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims 
in the application: 

Listing of Claims: 

1 1-24 (Canceled). 

1 25. (Currently amended) A method for managing encryption within a 

2 database system, wherein encryption is performed automatically and transparently 

3 to a user of the database system, the method comprising: 

4 receiving a request at the database system to store data in the database 

5 system; 

6 wherein the request is directed to storing data in a portion of the database 

7 system that has been designated as encrypted; 

8 wherein the portion of the database system that has been designated as 

9 encrypted is one or more columns of the database system; 



1 0 in response to receiving the request: 

1 1 creating a digest of the data, wherein the digest is a 

1 2 cryptographic function of the data, and 

1 3 automatically encrypting data within the database system 

14 using an encryption function to produce an encrypted data, wherein 

1 5 using the encryption function involves using an encryption key 

1 6 recovered from an obfuscated copy of a keyfile within volatile 

1 7 memory; and 

1 8 storing the encrypted data in the database system; 

19 wherein the digest is used to detect tampering with the encrypted data. 

2 
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1 26. (Currently amended) The method of claim 25, 

2 wherein the portion of the database system that has b e en designated as 

3 encrypted includes a column of the database system; 

4 wherein the encryption function uses a key stored in a keyfile managed by 

5 a security administrator; and 

6 wherein the encrypted data is stored using a storage function of the 

7 database system. 

1 27. (Previously presented) The method of claim 26, further comprising: 

2 receiving a request to retrieve data from the column of the database 

3 system; 

4 if the request to retrieve data is received from a database administrator, 

5 preventing the database administrator from decrypting the encrypted data; 

6 if the request to retrieve data is received from the security administrator, 

7 preventing the security administrator from decrypting the encrypted data; and 

8 if the request to retrieve data is from an authorized user of the database 

9 system, allowing the authorized user to decrypt the encrypted data. 

1 28. (Previously presented) The method of claim 26, wherein the security 

2 administrator selects one of, data encryption standard (DES) and triple DES as a 

3 mode of encryption for the column. 

1 29. (Previously presented) The method of claim 26, wherein the security 

2 administrator, a database administrator, and a user administrator are distinct roles, 

3 and wherein a person selected for one of these roles is not allowed to be selected 

4 for another of these roles. 
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1 30. (Previously presented) The method of claim 26, wherein managing the 

2 keyfile includes, but is not limited to: 

3 creating the keyfile; 

4 establishing a plurality of keys to be stored in the keyfile; 

5 establishing a relationship between a key identifier and the key stored in 

6 the keyfile; 

7 storing the keyfile in one of, 

8 an encrypted file in the database system, and 

9 a location separate from the database system; and 

1 0 moving the obfuscated copy of the keyfile to the volatile memory within a 

1 1 server associated with the database system. 

1 31. (Previously presented) The method of claim 30, wherein the key 

2 identifier associated with the column is stored as metadata associated with a table 

3 containing the column within the database system. 

1 32. (Previously presented) The method of claim 30, further comprising 

2 establishing encryption parameters for the column, wherein encryption parameters 

3 include encryption mode, key length, and integrity type by: 

4 entering encryption parameters for the column manually; and 

5 recovering encryption parameters for the column from a profile table in the 

6 database system. 

1 33. (Previously presented) The method of claim 26, wherein upon 

2 receiving a request from the security administrator specifying the column to be 

3 encrypted, if the column currently contains data, the method further comprises: 

4 decrypting the column using an old key if the column was previously 

5 encrypted; and 
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6 



encrypting the column using a new key. 



1 34. (Currently amended) A computer-readable storage medium storing 

2 instructions that when executed by a computer causes the computer to perform a 

3 method for managing encryption within a database system, wherein encryption is 

4 performed automatically and transparently to a user of the database system, the 

5 method comprising: 

6 receiving a request at the database system to store data in the database 

7 system; 

8 wherein the request is directed to storing data in a portion of the database 

9 system that has been designated as encrypted; 

10 wherein the portion of the database system that has been designated as 

11 encrypted is one or more columns of the database system; 

1 2 in response to receiving the request: 

1 3 creating a digest of the data, wherein the digest is a 

14 cryptographic function of the data, and 

1 5 automatically encrypting data within the database system 

1 6 using an encryption function to produce an encrypted data, wherein 

1 7 using the encryption function involves using an encryption key 

1 8 recovered from an obfuscated copy of a keyfile within volatile 

19 memory; and 

20 storing the encrypted data in the database system; 

21 wherein the digest is used to detect tampering with the encrypted data. 

1 35. (Currently amended) The computer-readable storage medium of claim 

2 34, 

3 wherein the portion of the database s ystem that has been designated as 

4 encrypt e d includ e s a column of the database syst e m; 

5 
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5 wherein the encryption function uses a key stored in a keyfile managed by 

6 a security administrator; and 

7 wherein the encrypted data is stored using a storage function of the 

8 database system. 

1 36. (Previously presented) The computer-readable storage medium of 

2 claim 35, the method 

3 further comprising: 

4 receiving a request to retrieve data from the column of the database 

5 system; 

6 if the request to retrieve data is received from a database administrator, 

7 preventing the database administrator from decrypting the encrypted data; 

8 if the request to retrieve data is received from the security administrator, 

9 preventing the security administrator from decrypting the encrypted data; and 

10 if the request to retrieve data is from an authorized user of the database 

1 1 system, allowing the authorized user to decrypt the encrypted data. 

1 37. (Previously presented) The computer-readable storage medium of 

2 claim 35, wherein the security administrator selects one of, data encryption 

3 standard (DES) and triple DES as a mode of encryption for the column. 

1 38. (Previously presented) The computer-readable storage medium of 

2 claim 35, wherein the security administrator, a database administrator, and a user 

3 administrator are distinct roles, and wherein a person selected for one of these 

4 roles is not allowed to be selected for another of these roles. 

1 39. (Previously presented) The computer-readable storage medium of 

2 claim 35, wherein managing the keyfile includes, but is not limited to: 
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3 creating the keyfile; 

4 establishing a plurality of keys to be stored in the keyfile; 

5 establishing a relationship between a key identifier and the key stored in 

6 the keyfile; 

7 storing the keyfile in one of, 

8 an encrypted file in the database system, and 

9 a location separate from the database system; and 

10 moving the obfuscated copy of the keyfile to the volatile memory within a 

1 1 server associated with the database system. 

1 40. (Previously presented) The computer-readable storage medium of 

2 claim 39, wherein the key identifier associated with the column is stored as 

3 metadata associated with a table containing the column within the database 

4 system. 

1 41 . (Previously presented) The computer-readable storage medium of 

2 claim 39, wherein the method further comprises establishing encryption 

3 parameters for the column, wherein encryption parameters include encryption 

4 mode, key length, and integrity type by: 

5 entering encryption parameters for the column manually; and 

6 recovering encryption parameters for the column from a profile table in the 

7 database system. 

1 42. (Previously presented) The computer-readable storage medium of 

2 claim 35, wherein upon receiving a request from the security administrator 

3 specifying the column to be encrypted, if the column currently contains data, the 

4 method further comprises: 
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5 decrypting the column using an old key if the column was previously 

6 encrypted; and 

7 encrypting the column using a new key. 

1 43. (Currently amended) An apparatus that facilitates managing encryption 

2 within a database system, wherein encryption is performed automatically and 

3 transparently to a user of the database system, comprising: 

4 a receiving mechanism that is configured to receive a request at the 

5 database system to store data in the database system; 

6 wherein the request is directed to storing data in a portion of the database 

7 system that has been designated as encrypted; 

8 wherein the portion of the database system that has been designated as 

9 encrypted is one or more columns of the database system; 

10 a digest creating mechanism configured to create a digest of the data, 

1 1 wherein the digest is a cryptographic function of the data; 

12 an encrypting mechanism that is configured to automatically encrypt data 

1 3 within the database system using an encryption function to produce an encrypted 

14 data, wherein using the encryption function involves using an encryption key 

1 5 recovered from an obfuscated copy of a keyfile within volatile memory; and 

1 6 a storing mechanism that is configured to store the encrypted data in the 

17 database system; 

1 8 wherein the digest is used to detect tampering with the encrypted data. 

1 44. (Currently amended) The apparatus of claim 43, 

2 wherein the portion of the database system that has been designated as 

3 encrypted includes a column of the database system; 

4 wherein the encryption function uses a key stored in a keyfile managed by 

5 a security administrator; and 
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6 wherein the encrypted data is stored using a storage function of the 

7 database system. 



1 45. (Previously presented) The apparatus of claim 44, further comprising: 

2 the receiving mechanism that is further configured to receive a request to 

3 retrieve data from the column of the database system; 

4 an access mechanism that is configured to prevent a database administrator 

5 and the security administrator from decrypting the encrypted data; and 

6 wherein the access mechanism is configured to allow an authorized user 

7 of the database system to decrypt the encrypted data. 

1 46. (Previously presented) The apparatus of claim 44, further comprising a 

2 selection mechanism that is configured to select one of, data encryption standard 

3 (DES) and triple DES as a mode of encryption for the column. 

1 47. (Previously presented) The apparatus of claim 44, wherein the security 

2 administrator, a database administrator, and a user administrator are distinct roles, 

3 and wherein a person selected for one of these roles is not allowed to be selected 

4 for another of these roles. 

1 48. (Previously presented) The apparatus of claim 44, further comprising: 

2 a creating mechanism that is configured to create the keyfile; 

3 an establishing mechanism that is configured to establish a plurality of 

4 keys to be stored in the keyfile; 

5 wherein the establishing mechanism is further configured to establish a 

6 relationship between a key identifier and the key stored in the keyfile; 

7 wherein the storing mechanism is further configured to store the keyfile in 

8 one of, 
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9 an encrypted file in the database system, and 

10 a location separate from the database system; and 

1 1 a moving mechanism that is configured to move the obfuscated copy of 

12 the keyfile to the volatile memory within a server associated with the database 

13 system. 

1 49. (Previously presented) The apparatus of claim 48, wherein the key 

2 identifier associated with the column is stored as metadata associated with a table 

3 containing the column within the database system. 

1 50. (Previously presented) apparatus of claim 48, wherein the 

2 establishing mechanism is further configured to establish encryption parameters 

3 for the column, wherein encryption parameters include encryption mode, key 

4 length, and integrity type, and wherein the establishing mechanism includes: 

5 an entering mechanism that is configured to enter encryption parameters 

6 for the column manually; and 

7 a recovering mechanism that is configured to recover encryption 

8 parameters for the column from a profile table in the database system. 

1 51. (Previously presented) The apparatus of claim 44, further comprising: 

2 a decrypting mechanism that is configured to decrypt the column using a 

3 previous key if the column was previously encrypted; and 

4 wherein the encrypting mechanism is further configured to encrypt the 

5 column using a new key. 
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